NSX Experience Day Axians GNS AG

Similar documents
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Practical Path to VMware NSX Nimish Desai - NSBU, VMware

1V0-642.exam.30q.

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Design Guide: Deploying NSX for vsphere with Cisco ACI as Underlay

NSX Administration Guide. Update 3 Modified on 20 NOV 2017 VMware NSX for vsphere 6.2

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Cross-vCenter NSX Installation Guide. Update 3 Modified on 20 NOV 2017 VMware NSX for vsphere 6.2

Cross-vCenter NSX Installation Guide. Update 6 Modified on 16 NOV 2017 VMware NSX for vsphere 6.3

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Introducing VMware Validated Designs for Software-Defined Data Center

Cross-vCenter NSX Installation Guide. Update 4 VMware NSX for vsphere 6.4 VMware NSX Data Center for vsphere 6.4

Introducing VMware Validated Designs for Software-Defined Data Center

Introducing VMware Validated Designs for Software-Defined Data Center

Weiterentwicklung von OpenStack Netzen 25G/50G/100G, FW-Integration, umfassende Einbindung. Alexei Agueev, Systems Engineer

Securing VMware NSX MAY 2014

Network Virtualization Business Case

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

VMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Exam Name: VMware Certified Associate Network Virtualization

Integrating Juniper Networks QFX5100 Switches and Junos Space into VMware NSX Environments

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

NSX Installation Guide. Update 6 Modified on 16 NOV 2017 VMware NSX for vsphere 6.3

VMware Cloud Provider Platform

NET1846. Introduction to NSX. Milin Desai, VMware, Inc Kausum Kumar, VMware, Inc

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

WHITE PAPER OCTOBER VMWARE NSX WITH CHECK POINT vsec. Enhancing Micro-Segmentation Security

2V0-642 vmware. Number: 2V0-642 Passing Score: 800 Time Limit: 120 min.

VMware Validated Design for NetApp HCI

2V VMware Certified Professional 6 - Network Virtualization. Exam Summary Syllabus Questions

vrealize Operations Management Pack for NSX for vsphere 3.5.0

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Table of Contents HOL-PRT-1305

VMware vcloud Networking and Security Overview

vrealize Operations Management Pack for NSX for vsphere 2.0

vrealize Operations Management Pack for NSX for vsphere 3.0

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Disclaimer CONFIDENTIAL 2

VM-SERIES FOR VMWARE VM VM

Agenda Introduce NSX-T: Architecture Switching Routing Firewall Disclaimer This presentation may contain product features that are currently under dev

Introducing VMware Validated Design Use Cases. Modified on 21 DEC 2017 VMware Validated Design 4.1

Planning and Preparation. VMware Validated Design 4.0 VMware Validated Design for Remote Office Branch Office 4.0

Using Network Virtualization in DevOps environments Yves Fauser, 22. March 2016 (Technical Product Manager VMware NSBU)

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Dell EMC. VxBlock Systems for VMware NSX 6.2 Architecture Overview

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

AGENDA Introduction Pivotal Cloud Foundry NSX-V integration with Cloud Foundry New Features in Cloud Foundry Networking NSX-T with Cloud Fou

Microsegmentation with Cisco ACI

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Dell EMC. VxBlock Systems for VMware NSX 6.3 Architecture Overview

Improve Existing Disaster Recovery Solutions with VMware NSX

VMware vcloud Director for Service Providers

Next-Generation Security Platform on VMware NSX Reference Architecture

VMware Validated Design for Micro-Segmentation Reference Architecture Guide

DISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017

Table of Contents HOL NET

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Introducing VMware Validated Designs for Software-Defined Data Center

VMware vrealize Network Insight Arkin Messaging Document

Securing VMware NSX-T J U N E 2018

SYMANTEC DATA CENTER SECURITY

Introducing VMware Validated Design Use Cases

vcenter Operations Management Pack for NSX-vSphere

Recommended Configuration Maximums. NSX for vsphere Updated on August 08, 2018

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Design Guide for Cisco ACI with Avi Vantage

Architecture and Design. Modified on 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Introducing VMware Validated Designs for Software-Defined Data Center

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Segmentation. Threat Defense. Visibility

The Software Driven Datacenter

Zero Trust Security with Software-Defined Secure Networks

Creating a VMware vcloud NFV Platform R E F E R E N C E A R C H I T E C T U R E V E R S I O N 1. 5

HOW TO BUILD A NESTED NSX-T 2.3 LAB

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Architecting Tenant Networking with VMware NSX in VMware vcloud Director

Huawei CloudFabric and VMware Collaboration Innovation Solution in Data Centers

Quick Start Guide (SDN)

Virtual Security Gateway Overview

Product Brief GigaVUE-VM

Architecture and Design. 17 JUL 2018 VMware Validated Design 4.3 VMware Validated Design for Management and Workload Consolidation 4.

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

vshield Administration Guide

CONTRAIL SECURITY. Contrail Cloud Networking & Security

What s New in VMware vcloud Director 8.20

VM-SERIES FOR NSX IMPLEMENTATION AND TRAFFIC STEERING GUIDELINES

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

vrealize Operations Management Pack for NSX for vsphere 3.5 Release Notes

Transcription:

NSX Experience Day Axians GNS AG 26. Nov. 2016 Christoph Altherr NSX Specialist SE caltherr@vmware.com 2015 2014 VMware Inc. All rights reserved. 1

Agenda Lecture 01 - Introduction to NSX (30min) Lecture 02 - NSX Architecture (30min) Lab 01-15 Min - HOL-1803-05-NET, Module 1 NSX Manager Installation and Configuration Lecture 03 - Logical Switching and Routing (60min) Lab 02-30 Min - HOL-1803-05-NET, Module 2 Logical Switching Lab 03-60 Min - HOL-1803-05-NET, Module 3 Logical Routing Lecture 04 - Introduction to NSX Security (30min) Lecture 05 - Getting Started with Security and NSX (15min) Lab 04 45 Min HOL-1803-05-NET, Module 4 Service Composer and Distributed Firewall Overview Lecture 06 - Policy Creation (15min) Lab 05 30 Min HOL-1803-05-NET, Module 5 Intelligent Grouping Lab 06 45 Min HOL-1803-05-NET, Module 6 User Based Security with a Jump Box Lab 07 30 Min HOL-1803-05-NET, Module 7 Application Rule Manager Lecture 07 - Operations & Visibility (30min) Lab 08 45 Min HOL-1829-01-NET, Module 2 360 Visibility across Virtual and Physical

WLAN SSID:GNS-Guest WebRedirection: User / Pwd gemäss Voucher 3

VMware Hands-On Labs (HOL) NSX Security Experience Day Labs http://labs.hol.vmware.com, HOL Workshops: http://labs.hol.vmware.com/hol/catalogs/catalog/757 4

VMware Hands-On Labs (HOL) Alternative Access Option NSX Security Experience Day Labs http://web.hol.vmware.com/landingpages/index.aspx?id=socialab 5

VMware Hands-On Labs (HOL) Enroll Lab NSX Security Experience Day Labs http://labs.hol.vmware.com/hol/catalogs/lab/4047 6

VMware Hands-On Labs (HOL) Start Lab NSX Security Experience Day Labs Lab: http://labs.hol.vmware.com/hol/catalogs/lab/4047, Doc: http://docs.hol.vmware.com/hol-2018/hol-1803-05-net_pdf_en.pdf 7

VMware Hands-On Labs (HOL) Extend remaining lab time 8

Introduction to NSX

In short, software is eating the world. Marc Andreessen, General Partner, Andreessen Horowitz and Netscape co-founder

The Data Center Networking Challenge There has been a lot of innovation and virtualization in the data center. Except for one area Compute Storage Networking 11

The Data Center Networking Challenge The lack of networking virtualization is holding back your ability to: Keep up with the pace of business Secure your data centers Control cost Compute Storage Networking 12

The Emerging Cloud Networking Challenge Public clouds solve some of the limitations of data centers, but they can also introduce new networking and security challenges: Multiple clouds Inconsistent tools and policies Different skillsets

Network Virtualization Solves These Problems Abstracting networking and security from the underlying infrastructure Data center Cloud Branch office IoT

NSX Vision: Driving NSX Everywhere Managing security and connectivity for many heterogeneous end points Cloud Branch offices/edge computing/iot New app frameworks On-premises data center End users

NSX Value Proposition vswitch Hypervisor vswitch Hypervisor Virtualization layer Network, storage, compute

NSX Value Proposition Routing Switching Load balancing Firewalling Routing Switching Load balancing Firewalling Network and security services vswitch In-hypervisor (on-prem) Hypervisor as a Service (cloud) Hardware/Cloud independent

NSX Value Proposition Workloads Routing Switching vswitch Load balancing Firewalling Routing Switching Load balancing Firewalling NSX Platform Hypervisor Virtualization layer Network, storage, compute

Ground-breaking use cases Enterprises can often justify the cost of NSX through a single use case 20

VMware NSX is to networking what VMware ESXi is to compute.

NSX Architecture

Physical Network Logical Network NSX Architecture and Components (Optional) Cloud Consumption Self-service portal vrealize Automation, OpenStack, vcloud Director, Custom CMP Management plane vcenter Server NSX Manager Single configuration portal REST API entry-point Control plane NSX Controller NSX Edge Manages logical networks Control plane protocol Separation of control and data plane Controller is not in the data path Distributed Services Data plane VDS Hypervisor Logical Switch Distributed Logical Router Firewall HW VTEP High-performance data plane Scale-out distributed forwarding model Flexibility for connecting logical networks to physical HV Kernel Modules

NSX Management Plane Components vra/openstack/custom vsphere APIs NSX REST APIs Management plane vcenter 1:1 NSX Manager Third-party management console Single pane of glass NSX Manager vsphere plugin NSX Manager Runs as a virtual machine Provisioning and management of network and network services VXLAN preparation Logical network consumption Network services configuration

NSX Control Plane Components vsphere cluster NSX controllers vsphere HA DRS with anti-affinity Properties Virtual form factor (4 vcpu, 4GB RAM) Data plane programming Control plane isolation Benefits Scale out High availability VXLAN - no multicast ARP suppression ESXi Host agent Data-path kernel modules

NSX Data Plane Components Data plane vsphere components NSX Edge service gateways HW VTEP Security VXLAN DLR Security VXLAN DLR Security VXLAN DLR SECURITY SECURITY SECURITY Compute clusters Edge clusters and HW VTEP (physical-to-virtual) ESXi Hypervisor kernel modules (VIBs) VDS Logical switch Distributed logical router VDS Distributed firewall vsphere distributed switch VMkernel modules Logical switching (VXLAN) Distributed logical router Distributed firewall VM form factor highly available dynamic routing: OSPF, BGP L3-L7 services: NAT, DHCP, load balancer, VPN, firewall ToR switch Bandwidth and physical ports scale-out VLANs for physical workloads local to a rack

NSX Component Interaction - Deployment and Configuration 2 Register with vcenter NSX Manager 1 Deploy NSX Manager Prepare hosts 4 vcenter Deploy NSX controllers 3 NSX Controller NSX Edge Services GW 5 Configure and deploy NSX Edge gateway(s) and network services vsphere cluster 1 vsphere cluster 2 vsphere cluster n

One time Recurring Deploying and Configuring VMware NSX Deploy VMware NSX Consumption NSX Mgmt NSX Edge Programmatic virtual network deployment Virtual infrastructure Component deployment Logical networks Deploy NSX manager Deploy NSX controller cluster Logical network/security services Deploy logical switches per tier Preparation Host preparation Deploy distributed logical router or connect to existing Logical network preparation Security policy and network services

Lab 01 NSX Manager Installation and Configuration Lab time: 15 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 11 through 17 Do not END your lab, in fact extend it

Logical Switching

Physical view VMs in dvpgs (distributed virtual Port Group) VM4 VM5 VM6 VM1 VM2 VM3 VDS dvpg2 (VLAN-backed) 172.16.10.11 172.16.10.12 172.16.10.13 VDS dvpg1 (VLAN-backed) vsphere Distributed Switch Physical network 31

Physical view VMs in LSs (Logical Switches) VM4 VM5 VM6 VM1 VM2 VM3 VDS NSX dvpg2 LS2 (VXLAN-backed) (VLAN-backed) 172.16.10.11 172.16.10.12 172.16.10.13 VDS NSX dvpg1 LS1 (VXLAN-backed) (VLAN-backed) vsphere Distributed Switch 192.168.0.50 192.168.100.50 192.168.200.50 Physical network 32

Traffic Flow VXLAN-backed VDS In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch When these VMs communicate, a VXLAN overlay is established between the two hosts vsphere distributed switch (VDS) NSX enables multicast free VXLAN with the help of the NSX controllers Host A Host B VXLAN encapsulation at the kernel level in the ESXi host VXLAN overlay IP fabric VTEP = VXLAN Tunnel End Point 33

Traffic Flow VXLAN-backed VDS Assume VM1 sends some traffic to VM2: L2 frame L2 frame L2 frame 1 VM1 sends L2 frame to local VTEP IP/UDP/VXLAN 2 VTEP adds VXLAN, UDP and IP headers 3 Physical transport network forwards as a regular IP packet vsphere distributed switch (VDS) 4 Destination hypervisor VTEP deencapsulates frame Host A Host B 5 L2 frame delivered to VM2 VXLAN overlay IP fabric 34

Traffic Flow VXLAN-backed VDS L2 frame L2 frame L2 frame IP/UDP/VXLAN vsphere distributed switch (VDS) Host A Host B VXLAN overlay IP fabric 35

Traffic Flow Troubleshooting VXLAN-backed VDS Assume VM1 sends some traffic to VM2: 1 VM1 sends L2 frame to local VTEP L2 frame IP/UDP/VXLAN 2 3 VTEP adds VXLAN, UDP and IP headers Physical transport network forwards as a regular IP packet vsphere distributed switch (VDS) IP/UDP/VXLAN 4 Original L2/L3/L4 headers Destination hypervisor VTEP deencapsulates frame Host A Host B 5 L2 frame delivered to VM2 Hash VXLAN overlay IP fabric UDP Source Port VMworld: NET8241 Monitoring and Troubleshooting NSX with vrealize Network Insight NSX-V End-to-End Traceflow Visualization Tool: https://github.com/vmware/nsx-traceflow-pv 36

Logical Routing

NSX Logical Routing Component Edge Services Gateway On/Off-Ramp connectivity between logical and physical. VPN NSX Edge Services Gateway - Optimized for N-S Routing Static, OSPF, BGP - Network Services Firewall NAT Load Balancing VPN DHCP DNS 38

NSX Logical Routing Component Distributed Logical Router Optimized for E-W Hypervisor Kernel Modules (VIBs) ESXi Instantiated on ESX hosts LIFs are defined on the Distributed Router to handle VM default gateway traffic Distributed logical router LIF1 LIF2 LIF3 DLR Instance DLR Control VM Multiple LIFs per DLR instance Multiple DLR instances to isolate separate tenant domains DLR Control VM peers with the Edge Service Gateway and exchanges routing information

OSPF, BGP Peering NSX logical Routing Components Interaction External network 1 Dynamic routing protocol is configured on the logical router instance NSX Edge (Acting as next hop router) 2 Controller pushes new logical router configuration including LIFs to ESXi hosts 192.168.10.1 Control DLR Control VM 1 NSX Mgr 3 OSPF/BGP peering between the NSX Edge and logical router control VM Data path 6 192.168.10.3 3 Control 4 Learnt routes from the NSX Edge are pushed to the controller for distribution 4 192.168.10.2 DLR 5 2 Controller Cluster 5 6 Controller sends the route updates to all ESXi hosts Routing kernel modules on the hosts handle the data path traffic 172.16.10.0/24 172.16.20.0/24 172.16.30.0/24 40

Distributed Routing Traffic Flow Same Host DA: 172.16.2.10 SA: 172.16.1.10 DA: vmac SA: MAC1 1 L2 172.16.1.10 VM1 MAC1 IP 4 Payload 172.16.2.10 VM2 MAC2 VXLAN 5002 VXLAN 5001 vsphere Host vsphere Distributed Switch 10.10.10.10/24 LIF1 LIF2 vmac Internal LIFs 20.20.20.20/24 DLR 3 LIF2 ARP Table VM IP VM MAC LIF1 : 172.16.1.1 LIF2 : 172.16.2.1 vsphere Host DLR 2 172.16.2.10 MAC2 Host 1 Host 2 Routing Table Destination Interface Mask Gateway Connect 172.16.1.0 255.255.255.0 0.0.0.0 Direct 172.16.2.0 255.255.255.0 0.0.0.0 Direct Transport Network

Lab 02 Logical Switching Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 19 through 63 Do not END your lab, in fact extend it

Lab 03 Logical Routing Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 65 through 233 Do not END your lab, in fact extend it

Introduction to NSX Security

Security with NSX Micro-segmentation Secure end user DMZ Anywhere

Our security realities When threats breach the perimeter, it s hard to stop lateral spread MICRO-SEGMENTATION Low priority systems are often targeted first. INTERNET Attackers can move freely around the data center. NETWORK PERIMETER Attackers then gather and exfiltrate the valuable data. 46

What if you could Enforce security at the most granular level of the data center? MICRO-SEGMENTATION Every VM can have: INTERNET Individual security policies Individual firewalls NETWORK PERIMETER 47

What if you could Maintain that level of consistent security across an entire application MICRO-SEGMENTATION Modern apps today are distributed in nature Security needs to reach beyond an individual VM WEB DB Each VM is typically part of a larger application

Better security, simplified policy Define a policy using workload characteristics, not IPs and ports MICRO-SEGMENTATION An NSX security policy can be based on things like: Operating system Machine name Services Application tier Regulatory requirements Security posture DATA CENTER PERIMETER PCI Scope Creating and managing policies becomes a whole lot easier

Non-NSX Loosely chained/attached firewalling Can easily be bypassed by accident or willful VM4 L2 FW VM1 VM2 VM3 VDS dvpg2 (Unsecured-Net) VDS dvpg1 (Secured Net) vsphere Distributed Switch Physical network Default GW Default GW 50

VMware NSX Micro-Segmentation VMs in dvpgs (distributed virtual Port Group) VM4 VM5 VM6 VM1 VM2 VM3 VDS dvpg2 (VLAN-backed) 172.16.10.11 172.16.10.12 172.16.10.13 VDS dvpg1 (VLAN-backed) vsphere Distributed Switch Physical network 51

VMware NSX Micro-Segmentation VMs in LSs (Logical Switches) VM4 VM5 VM6 VM1 VM2 VM3 VDS NSX dvpg2 LS2 (VXLAN-backed) (VLAN-backed) 172.16.10.11 172.16.10.12 172.16.10.13 VDS NSX dvpg1 LS1 (VXLAN-backed) (VLAN-backed) vsphere Distributed Switch 192.168.0.50 192.168.100.50 192.168.200.50 Physical network 52

NSX Distributed Firewalling Micro-segmentation Finance HR Engineering Perimeter firewall DMZ Inside firewall App DB Each VM can now be its own perimeter Policies align with logical groups Prevents threats from spreading Services AD NTP DHCP DNS CERT VMworld: SEC8348 Deploying Security in a Brownfield Environment 53

NSX Distributed Firewalling Micro-segmentation Source: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-microsegmentation.pdf 54

Security Group "in action"

DFW Centralized Management Identity - User identity - Groups VC containers - Datacenters & Clusters - Portgroups - VXLAN Services - Protocol - Ports - Custom Choice of PEP - Clusters - VXLAN - vnics IPv6 compliant - IPv6 address - IPv6 sets VM containers - VM names - VM tags - VM attributes IPv6 Services 56 34

Security with NSX Micro-segmentation Secure end user DMZ Anywhere

Our security realities Proliferation of devices accessing the data center, yet not all are secured SECURE END USER MOBILE WORKERS HAVE BROAD ACCESS TO DATA CENTER RESOURCES INTERNET VDI at a branch or remote location Mobile device in the field or at home NETWORK PERIMETER Laptop or desktop at work or home 58

What if you could Extend micro-segmentation out to secure the end user device SECURE END USER MICRO-SEGMENTATION LIMITS DEVICE ACCESS TO ONLY WHAT IS NEEDED INTERNET VDI at a branch or remote location Mobile device in the field or at home NETWORK PERIMETER Laptop or desktop at work or home 59

Security with NSX Micro-segmentation Secure end user DMZ Anywhere

Our security realities Isolating physical infrastructure for security is effective, but inefficient DMZ ANYWHERE DATA CENTER Manual processes Inefficient use of pooled resources PHYSICAL DMZ CORE INFRASTRUCTURE High CapEx investment 61

What if you could Pool your physical infrastructure resources DMZ ANYWHERE DATA CENTER CORE INFRASTRUCTURE 62

What if you could So that you could provide isolation at the hypervisor layer DMZ ANYWHERE CORE INFRASTRUCTURE 63

What if you could Enabling you to create DMZs anywhere, regardless of their location DMZ ANYWHERE DMZ DMZ Scalable and flexible Increase asset utilization CORE INFRASTRUCTURE Simplify management 64

Getting Started with Security and NSX

NSX Security Features Security Inherently secure infrastructure Micro-segmentation Distributed firewall for inter / intra zone segmentation Rules based on IP, MAC, VM attributes, vcenter & external context Secure end user VDI security with NSX distributed firewall context based on active directory Guest introspection for anti-virus, malware protection DMZ for PCI, HIPAA and other compliance Guest introspection for anti-virus, malware protection, 3 rd party FW, IPS/IDS DMZ anywhere

Getting Started with NSX Security 1 4 Run Virtual Network Assessment Run Application Rule Manager Deploy VRNI to understand current state of infrastructure based on flow analysis No need to install NSX yet! ARM analysis can be used to analyze posture of your apps and automatically create new rules Build a microsegmentation policy 2 Deploy NSX 5 Micro-segment and monitor Install NSX bits and prepare hosts to deploy NSX distributed firewall. No changes to your existing infrastructure. Hint you can automate this! Repeat for other apps, send logs to syslog and monitor your apps Microsegmentation done! 3 Create Infrastructure DFW Rules Use data from Virtual Network Assessment to build firewall policy for core services like DNS, syslog, AD and more. Gives apps access to core services

Security in the DC with NSX What is Zero Trust?

Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation Distributed Firewall applied to each vnic Controlled Communication or Isolation between workloads on the same or different VLAN East West Filtering by NSX Distributed Firewall Existing physical firewall only handles North South communication Traffic discovery to determine required flows/rules Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication STOP STOP Stateful DFW Physical Router

Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation and Network Overlays Logical Switches based on overlays to isolate/segment independent of the underlying physical network Distributed Logical Routers to optimize East West Routing Edge Services Gateway can also be leveraged for N-S routing, N-S firewalling, load balancing, NAT, VPN Distributed Firewall providing Controlled Communication or Isolation between workloads on the same or different Logical Switch (overlay) Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication STOP STOP Stateful DFW VPN DLR / ESG

Deploying NSX Micro-Segmentation Deployment Steps: Deploying NSX Manager, VDS and Host Prep Pre-existing and Management and Compute clusters can be leveraged NSX Manager deployed in the Mgmt cluster and peered with the existing vcenter server VDS is required for all compute clusters Host preparation installs NSX VIB to all hosts in a cluster Non-disruptive operation Distributed Firewall is enabled on every VM with a default allowall policy Management Cluster VDS Compute Clusters VLAN 10 VLAN 20 VLAN 30 L3 L2

Policy Creation

Micro-Segmentation Policy Creation Firewall Rule Table and Service Composer Firewall Rule Table Service Composer Analogous to typical Firewall rule table Provides overview of all rules in the system DFW Rules and Network Introspection Sections enable rule grouping UI and API Driven One or more Security policies can be applied to Security Groups Policies define DFW rules and Service Chain. Abstraction enables efficient service deployment Independent policies are combined specific to each workload UI and API Driven

Micro-Segmentation Policy Creation Policy and Grouping Methodology Security Groups allow abstraction and grouping of workloads from the underlying virtual infrastructure End-Users and Cloud Admins are able to define application-centric security policies Security policies are applied to one or more security groups where workloads are members Security Tags are applied to Virtual Machines and can be used for dynamic Security Group membership Security Tag Virtual Machine Security Group Security Policy ST VM SG Members (VM, vnic) and Context (user identity, security posture) Guest Introspection, Distributed Firewall and Network Introspection Policies

Micro-Segmentation Policy Creation Dynamic Policy using Security Tags Example App1 Security Group Requirements Apply differentiated policy based on OS, Environment, Automate policy application for new appliations being provisioned Upon vra Blueprint deployment All VMs part of an application are placed into a new Security Group Every VM is tagged with multiple tags identifying: Function, Zone, OS, Environment and Tenant App1 Apache App1 - WLS App1 - ORADB DMZ_ PROD_ RHEL Apache TRUSTED_ PROD_ RHEL WLS RESTRICTED_ PROD_ RHEL ORADB

Micro-Segmentation Policy Creation Zero Trust Policy Model Used for Quarantine and/or Allow Rules Emergency Rules Infrastructure Rules Environment Rules Global Rules AD, DNS, NTP, DHCP, Backup, Mgmt Servers Rules between Zones Prod vs Dev, PCI vs Non PCI, Inter BU rules Inter-Application Rules Intra-Application Rules Default Rule = Deny Rules between Applications Rules between the app tiers or the rules or between micro-services VRNI /ARM / EM Whitelisting / Zero Trust

Micro-Segmentation Policy Creation Application Discovery - Methods and Tools Leveraging Existing Firewall Policy vrealize Network Insight NSX Application Rule Manager and Endpoint Monitoring vrealize Log Insight Firewall Log?

Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools Profile applications both on the wire and on the guest. Can be used on a per application basis. End-to-end visibility and rule creation/enforcement Empowers app team = visibility and rule creation streamlines deployment Drives whitelisting model default deny and open up the necessities Fast app operationalization

Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools: Application Rule Manager Leverages flow monitoring to monitors all flows for select VNICs Flows are de-duplicated, correlated and filtered Optimized Flow tables are presented to users IP addresses/ports are replaced with objects Users can further optimize flow table Firewall rules are generated and can be published after review

Lab 04 Service Composer and Distributed Firewall Overview Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 235 through 343 Do not END your lab, in fact extend it

Lab 05 Intelligent Grouping Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 345 through 390 Do not END your lab, in fact extend it

Lab 06 User Based Security with Jumpbox Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 392 through 460 Do not END your lab, in fact extend it Note: Don t forget to install guest introspection

Lab 07 Application Rule Manager Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 462 through 504 Do not END your lab, in fact extend it Note: change default rule to allow disable internal 2 internal rule

Operations and Visibility

NSX Dashboard

VM Live Flow

L2 and L3 Trace Flow Test Connectivity through Logical and Physical paths Web1 Web2 Overview Logical Switch VM IP Packet 1 2 5 VM Ability to trace a packet through Virtual and Physical network Shows where the packet is dropped Supports L2 and L3 Trace flow User defined Packet format 3 4 Can we initiated by UI or API Benefits Helps Identify problems in Virtual or Physical network Enhanced supportability and troubleshooting User defined packet header helps validate and troubleshoot FW rules

Central CLI NSX Central CLI Management Plane Control Plane Data Plane NSX Controllers NSX Mgr. Centralized read-only commands to fetch run-time data across multiple components Available on NSX Manager in user mode Leverages existing communication channels between components Can be consumed by custom scripts via APIs vsphere ESXi Hosts 88 NSX Edge

Log Insight NSX Dashboards

Log Insight NSX Dashboards

Monitoring Network Connection and Traffic Functionality overview Source: https://docs.vmware.com/en/vmware-vsphere/6.5/com.vmware.vsphere.networking.doc/guid-6db73f20-c99a-43d4-9ee0-3277974ef8bf.html 91

VMware VDS Packet Capture Source: https://docs.vmware.com/en/vmware-vsphere/6.5/com.vmware.vsphere.networking.doc/guid-5ce50870-81a9-457e-be56- C3FCEEF3D0D5.html 92

VMware VDS Packet Capture pktcap-uw utility 93

VMware VDS Packet Capture pktcap-uw utility ESXi 5.5 (and later) enhanced packet capture tool (pktcap-uw) built-in 5 important packet caputure points: 1. Capture packet as it leaves/enters VM 2. Capture traffic after NSX DFW 3. Capture VXLAN encapsulated traffic 4. Capture traffic after NSX DLR routing 5. Capture NSX control plane traffic Source: http://blog.ipcraft.net/packet-capture-nsx-troubleshooting-pktcap-uw/ Source: http://www.yet.org/2014/09/nsxv-troubleshooting/ 94

VMware VDS Packet Capture Analyze capture file in Wireshark For better and easier analysis of the packet captures, SCP the two pcap files from the ESXi host to a PC Open one of the files with Wireshark and then click Merge from File menu Then, choose the other pcap file. The merged captures are now both shown in Wireshark 95

vrealize Network Insight vrni

Intelligent Operations for Software-Defined Datacenter Application vrealize Network Insight vrealize Business for Cloud 1 vrealize Operations 1 vrealize Log Insight 2 Network & Security Compute Storage Hybrid Cloud Physical/ Virtual/ Cloud Environment 1 vrealize Suite components 2 Included with vrealize Suite and ships with NSX 97

vrealize Network Insight Transformative Operations for NSX based Software-Defined Data Center Plan Micro-segmentation Deployment and Audit Security Compliance Optimize Network Performance with 360 0 Visibility & Analytics Across Virtual, Physical and Cloud Offers Best Practices, Health and Availability of NSX Deployment Source: https://www.youtube.com/watch?v=p1hfxq7il3o 98

East-West Traffic Analysis East-West Traffic Flow Analysis Breakdown of Data Center Traffic by East- West, VM-to-VM, VM-to-Physical, Switched, Routed, etc. Get Detailed Flow stats behind each number 99

Security Policy Automation Micro-Segmentation Discover vcenter and NSX constructs (folders, clusters, vlans, security tags) Automated Security Groupings Based on vcenter and NSX Constructs, Workload Characteristics, Ports, Common Services Recommended Security Policies / Firewall Rules (Zero-Trust Model) See Network Traffic Per Host, Per VM Export as CSV 100

Data Paths Across Overlay And Underlay Connectivity Graphs VM to VM, VM to Physical, VM to Internet Hop-by-Hop Path across Overlay (LDRs, Edge Gateways) and Underlay (Physical VDCs & VRFs). See V-To-P Boundary Correlated Problems And Performance Metrics Across Virtual and Physical See Effective Firewall Rules and Security Policies across NSX and PANW in Service- Chained Environment NSX Firewall PANW Virtual FW VXLAN Converged Infrastructure (Ex: UCS) VLAN PANW Physical Firewall Physical Network Switch, Router 101

Simple & Contextual Search Hi Shiv, what do you need help with today? Single pane of glass between virtual & physical Google-like search for ease of use Time aware search (go back in time) Fewer clicks to find and identify issues Simplified interface, reduce learning curve across admin teams 32

NSX Infrastructure Monitoring and Best Practices Checks Configuration, Health and Consistency Validation VTEP Level Misconfigurations VTEPS Underlay Mapping Checks Netcpa Health Hosts Version Validation LDR and Edge Config Issues Routing Misconfigurations/ Issues between LDR, Edge and Physical Routers 103

Lab 08 360 Visibility across Virtual and Physical Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for the vrni Lab HOL-1829-01-NET Enroll in the lab Follow the lab steps in pages 58 through 100

Additional Resources Websites http://virtualizeyournetwork.com/ http://www.vmware.com/products/nsx/ VMware Hands on Labs (http://labs.hol.vmware.com) HOL-1803-01-NET - VMware NSX - Getting Started HOL-1803-02-NET - VMware NSX - Distributed Firewall and Micro-Segmentation HOL-1803-03-NET - VMware NSX - Operations and Visibility HOL-1825-01-NET - VMware NSX - Advanced Consumption HOL-1825-02-NET - VMware NSX and SRM - Active-Standby Solution HOL-1826-01-NET - VMware NSX-T - Getting Started HOL-1826-02-NET - VMware NSX-T with Kubernetes HOL-1841-01-NET - Secure Horizon with Trend Micro and NSX HOL-1842-01-NET - VMware AppDefense - Secure Datacenter Endpoints HOL-1823-01-NET - Palo Alto Networks VM-Series on NSX - Next-Gen Security for your SDDC HOL-1824-01-NET - Check Point vsec and NSX - Advanced SDDC Security NSX for vsphere Design Guide https://communities.vmware.com/docs/doc-27683

Free ebooks VMware NSX Micro-segmentation: Day 1 Guide VMware NSX Micro-segmentation: Day 2 Guide Operationalizing VMware NSX Automating NSX for vsphere with PowerNSX https://blogs.vmware.com/networkvirtualization/2017/08/announcing-three-new-vmware-nsx-guides.html/ 106

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback